From 7ee0bbd486e261294e57b8695ccc5c676f985ad2 Mon Sep 17 00:00:00 2001
From: Steve Sutton <steve@gaslightmedia.com>
Date: Fri, 24 Apr 2015 16:31:18 -0400
Subject: [PATCH] Security Bug Fix

Multiple WordPress Plugins are vulnerable to Cross-site Scripting (XSS)
due to the misuse of the add_query_arg() and remove_query_arg()
functions. These are popular functions used by developers to modify and
add query strings to URLs within WordPress.
wrapping this call with esc_url or esc_url_raw to prevent the attack.
---
 controllers/front.php           | 5 ++---
 glm-employment.php              | 2 +-
 models/class-glm-list-table.php | 8 ++++----
 models/job.php                  | 2 +-
 4 files changed, 8 insertions(+), 9 deletions(-)

diff --git a/controllers/front.php b/controllers/front.php
index 5f023f3..30aea10 100644
--- a/controllers/front.php
+++ b/controllers/front.php
@@ -415,8 +415,7 @@ class glm_employment_front
         $job->glm_jobs_email     = $custom['glm_jobs_email'][0];
         $job->glm_jobs_comments  = $custom['glm_jobs_comments'][0];
         $job->glm_jobs_code      = $custom['glm_jobs_code'][0];
-        $current_url             = add_query_arg($wp->query_string, '',
-            home_url($wp->request));
+        $current_url             = esc_url(add_query_arg($wp->query_string, '', home_url($wp->request)));
         $applyOnlineHref         = $current_url
                 . ((strpos($current_url, '?')) ? '&' : '?')
                 . self::FORM_VAR . "=1&job=" . $job->ID;
@@ -479,7 +478,7 @@ class glm_employment_front
         }
         $jobs = get_posts($args);
         $totalJobs = count($jobs);
-        $current_url = add_query_arg($wp->query_string, '', home_url($wp->request));
+        $current_url = esc_url(add_query_arg($wp->query_string, '', home_url($wp->request)));
         $iterator = 1;
         foreach ($jobs as $job) {
             $custom = get_post_custom($job->ID);
diff --git a/glm-employment.php b/glm-employment.php
index bfd4238..1778b43 100644
--- a/glm-employment.php
+++ b/glm-employment.php
@@ -2,7 +2,7 @@
 /**
  * Plugin Name: Gaslight Media Employment
  * Description: Online Employment Application for Gaslight Media Clients.
- * Version: 1.0.3
+ * Version: 1.0.4
  * Author: Steve Sutton
  * Author URI: http://www.gaslightmedia.com
  * License: All right reserved
diff --git a/models/class-glm-list-table.php b/models/class-glm-list-table.php
index 8d99638..c713a20 100644
--- a/models/class-glm-list-table.php
+++ b/models/class-glm-list-table.php
@@ -224,7 +224,7 @@ class GLM_List_Table {
 
         // Redirect if page number is invalid and headers are not already sent.
         if ( ! headers_sent() && ( ! defined( 'DOING_AJAX' ) || ! DOING_AJAX ) && $args['total_pages'] > 0 && $this->get_pagenum() > $args['total_pages'] ) {
-            wp_redirect( add_query_arg( 'paged', $args['total_pages'] ) );
+            wp_redirect( esc_url_raw(add_query_arg( 'paged', $args['total_pages'] ) ) );
             exit;
         }
 
@@ -636,7 +636,7 @@ class GLM_List_Table {
 
         $current_url = set_url_scheme( 'http://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'] );
 
-        $current_url = remove_query_arg( array( 'hotkeys_highlight_last', 'hotkeys_highlight_first' ), $current_url );
+        $current_url = esc_url_raw(remove_query_arg( array( 'hotkeys_highlight_last', 'hotkeys_highlight_first' ), $current_url ) );
 
         $page_links = array();
 
@@ -806,7 +806,7 @@ class GLM_List_Table {
         list( $columns, $hidden, $sortable ) = $this->get_column_info();
 
         $current_url = set_url_scheme( 'http://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'] );
-        $current_url = remove_query_arg( 'paged', $current_url );
+        $current_url = esc_url_raw( remove_query_arg( 'paged', $current_url ) );
 
         if ( isset( $_GET['orderby'] ) )
             $current_orderby = $_GET['orderby'];
@@ -852,7 +852,7 @@ class GLM_List_Table {
                     $class[] = $desc_first ? 'asc' : 'desc';
                 }
 
-                $column_display_name = '<a href="' . esc_url( add_query_arg( compact( 'orderby', 'order' ), $current_url ) ) . '"><span>' . $column_display_name . '</span><span class="sorting-indicator"></span></a>';
+                $column_display_name = '<a href="' . esc_url_raw( add_query_arg( compact( 'orderby', 'order' ), $current_url ) ) . '"><span>' . $column_display_name . '</span><span class="sorting-indicator"></span></a>';
             }
 
             $id = $with_id ? "id='$column_key'" : '';
diff --git a/models/job.php b/models/job.php
index 5f35ba7..21eb477 100644
--- a/models/job.php
+++ b/models/job.php
@@ -56,7 +56,7 @@ class glm_employment_job
                     'taxonomy'        => $tax_slug,
                     'name'            => $tax_obj->name,
                     'orderby'         => 'name',
-                    'selected'        => $_GET[$tax_slug],
+                    'selected'        => (isset($_GET[$tax_slug]) ? $_GET[$tax_slug] : ''),
                     'hierarchical'    => $tax_obj->hierarchical,
                     'show_count'      => true,
                     'hide_empty'      => true
-- 
2.17.1